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assess controls in an IS environment. IS controls provide assurance over the accuracy, reliability, 
and integrity of the informs ion processed. From I he audit work, a determination is made as to 
whether con rots exist and are operating as designed. In performing the audit work, the audit staff 
uses audit standards set forth by the United States Government Accountability Office. 

Members of the IS audit staff hold degrees in disciplines appropriate to the audit process. Areas 
of expertise include business, accounting and computer science. 

IS audits are perforated as stand-alone audits of IS com mis or in conjunction with finaicial- 
comptiance and/or pcrformaice audits conducted by the office. These audits arc dote under the 
oversight of the Legislative Audit Committee which is a bicameral and bipartisan standing 
committee of the Montana Legislature. The committee consists of six members of the Senate and 
six members of the House of Representatives. 
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Executive Summary 



KxetUthe Summary ^hc Montana Information Technology Aci (MET A) was enacted to 

facilitate effective deployment of informal ion technology resource it 
Molilalia, aid reduce unnecessary* duplication of information 
iccbnologyltT) resources. MIT A assigns responsibility for enterprise 
IT management to the Depanment of Admin Ksi ration (DofA). 
Encrprisc IT maiagemeit describes the goal of coordinating the 
efforts, spending, and resources for IT across the greater organization 
of the State of Montana. Where resources used to address these 
common elements can be shared, instead of duplicated, the stale 
benefits in savings of money .time, hardware/software, and employees. 

The scope of this audit included determining responsibilities for 
addressing MIT A implementation . and the effectiveness of the 
management, policy, planning, and enforcement requirements of 
MITA. Scope was comprised of three primary objectives, including: 
to determine whether the rules and piocedures established by DofA to 
implement MITA arc consistent with legislative intent, to determine 
whether t he agency IT planning process is effectively achieving the 
intent of MITA, to determine whether process used by DofA to 
establish statewide policies present effective and sound policy. Audit 
work included interviews with DofA management and personnel, and 
reviewing rules and existing documentation related to MITA. 
including policies, IT plans, process documents, templates and forms 
for tasks such as IT purehasc requests, and position descriptions. We 
also attended monthly Information Technology Management Council 
IITMC) meetings, a weekly meeting of the Policy and Planning 
Services Bureau business analyst team, an 1TMC sub-committee 
meeting 10 discuss two policies, and surveyed agency IT managcts 
regarding DofA 's statewide policy and planning activities. 

DofA has made some progress towanJs MITA implementation in 
select areas, but does not have an established process to ensure the IT 
planning and overall requirements of MITA are addressed and 
implemented consistent with legislative intent. Documentation of 
riles, policy and procedures is minimal and inconsistent. This report 
contains findings and recommendations addressing the overall 
im pic mental ion of MITA and areas of shortcoming. 

PagcS-1 



Chapter I - Audit Scope and Methodology 



Introduction Effcciivc July 1. 2001. the legislature enacted (be Moniaia 

I ■rorm.it ion Technology Act (MIT A) to facilitate effective 
deployment of information technology resources in Montana. and 
reduce unnecessary duplication of information technology (IT) 
resources. MIT A assigns responsibility forcnicrprise IT 
management to the Department of Administration (DofA). 
Enterprise IT management describes the goal of coordinating the 
cffoits. spending, and resources for IT across the greater organization 
of the State of Montana, rat her than the local IT management of the 
individualagencics. Each agency hasspecifictasksand needs for 
their IT. but they also share common elements. Where resources 
used to address these common elements can be shared, instead of 
duplicated, the state benefits in savings of money, time, 
hardware/software. and employees. The increasing impoitanceof 
coordinating and organizing IT resource development and 
deployment is evidenced by the more than $1 10 million in IT 
expenditures by state agencies in fiscal year 2004. 

Statutorily. MIT A establishes the following: 

Chief Information OMiitrnCIOj - an iiullvidial appointed by the 
director of DofA to carry out the duties and responsibilities relating 
to statewide information technology issues* 

Strategic Planning each siuie agent } , iicllding the Dcpaitucnl Dl 
Admin Ksi rat ion. is required to develop and maintain an IT plan. The 
DofA must also establish and enforce a strategic IT plan for the State 
of Montana to glide all agencies. DofA must review and approve all 
agencies IT plans. 

IniplL'niiM»:tnoH and linlofcenienl DofA k thaigcd will 
implementing MITA and all subsequent IT related initiatives. State 
law reqi ires DofA to establish and enforce statewide IT policy, 
standards, and rules. 
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Chapter I • Audit Scope and Methodology 



Pmcurenienl A_ pprt>\ ;tl .urencv spAiLv .■.:.. 'lis a:a\ \iw*. invrnjin 
methods for the acquisition of IT resources must be reviewed and 
approved by (he DofA. 

L-.tM-nM U'ij] " ixhin^.^ : i i an l ■ ] '.'h : :in advjsor> bOBld WBS 
created , providing a forum 10 assist wii h (be management of 
informal ion technology used by ihe State. 

DofA reorganized part of its Information Technology Services 
Division (ITSD)structireand appointed the first CIO ii 2002. Two 
Deputy CIO positions were creaicd: oie focused on managing 
service operations, and one focused on managing policy and 
planning. A set of rutes were written to specify dates for subnotion 
of agency IT plans, as welt as provide high- level descriptions of the 
processes for IT procurement requests (1TPR). and requesting 
policies, standards, and exceptions to them. 

The Policy and Planning Service Bureau (PPSB) was established and 
assigned the most significant responsibilities for addressing MIT A 
requirements. TheOffice of Cyber Pmcectioi (OCP)and Project 
Management Office (PMO) were also established. 

In 2004. the CIO instituted a reorganize ioi of 1TSD with a 
significant change involving the consolidation of the Deputy CIO 
positions. This has been the status for the past year. 



Objectives Thcobjcctivcsofthisaidit were: 



* To determine whether ibe nlcsand procedures established by 
DofA to implement MIT A are consistent with legislative intent. 

* To determine whether the agency IT planning process is 
effectively achieving the intent of MIT A. 

► To determine whether I be process used by DofA to establish 
statewide policies create effective and sound policy. 
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Chapter I - Audit Scope and Methodology 



Scope and Methodology Tkc scope of this audi! inclided determining responsibilities for 

addressing MIT A implementation, and ihc effectiveness of the 
management, policy, planting, and enforcement requirements of 
VI IT A. We established ihc legislative * intent* of the Act through 
readings of l he MIT A statutes, review of the meeting minutes from 
the Appropriations. State Admin isi ration , and Energy and 
Telecommunications committees regarding Senate Bill 131 
(Chapter 3 13, Laws of 2001), The inicnt of MIT A was lo create a 
management function to manage aid control the use of IT in state 
agencies as an enterprise, providing centralized oversight, rule 
making authority* and creating accountability structures to 
accomplish ihe statutory goal of developing IT resources in an 
organized, deliberative and cost- effective manner. DofA must 
establish information technology policies. standards. and objectives 
for the state as a whole, and is charged with ensuring this is done via 
enforcements and rules. The management function was iniended to 
be a leadership tole.and was specifically drawn tocnsirc inter- 
agency cooperation, greater control of spending approval to 
eliminate redundancy aid wasteland to create a clear vision of the 
goals of Montana as a state with regards to IT. 

We reviewed rules and obtained existing documentation related to 
MIT A from the DofA management. We compared the 
documentation with statute content and our established legislative 
'intent* document for completeness and effectiveness in ihe 
implementation of MIT A. The documents acquired from DofA 
included: policies. IT plans, process documents, templates and forms 
for tasks such as IT purchase requests, and position descriptions. 

We conducted individual and group interviews with the DofA 
management to acquire a verbal representation of their procedures 
used to address MIT A implementation. Interviews also included the 
Project Managemem Office and Office of Cyber Protectioi within 
DofA. We attended three monthly Information Technology 
Management Couici) (HMO meetings between April and Jute 
2005. We attended a weekly meeting of the PPSB business analyst 
learn, aid an ITMC sub-committee meeting to discuss two policies. 
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Finally, we surveyed agency IT managers regarding DofA's 
Hulewidc policy and plaining activities. 

Tkis audit was conducted in accordance with governincii auditing 
Mandaids published by tie U tiled States Government Accountability 
Office. 
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Chapter II - Statewide IT Management and 

Control 



Introduction The Montana Information Technology Aci (MIT A) presents the state 

wiih an opportunity to have centralized management and control of 
IT. Having one agency managing and leading (be direction of fT 
provides the state with many potential benefits, including: improved 
consistency across systems die to standardized hardware, software* 
and IT practices; clarity regarding statewide IT goals and strategics: 
enstring agency alignment with statewide strategics: increased 
organization due to statewide policy procedures: integration of 
systems and data, and reduction in IT procurement and operations 
costs. Accountability can be maintained because one agency is 
responsible for centralized management and ovctsight. 

With the enactment of MIT A came an expectation from legislator* 
for significant change in the way statewide IT operations arc 
managed and overseen, and a change in how the Department of 
Administration (DofA) interacts with agencies. In addition lothe 
se nice- oriented approach that has historically driven IT SO within 
DofA. the Department would have to actively take charge through 
management, oversight , initiative, and leadership of state agencies 
regarding information technology. MIT A rcqi ires change via strong 
language that reqiiresan active approach lostatitory 
responsibilities. 

Examples of strong language are included in the statute that outlines 
the powctsand d nties of the department, section 2- 17-5 12 , MCA. It 
stales the depanment shall: 

► "promote, coordinate, and approve the development and sharing 
of shared information technology application software, 
management systems, and information that provide similar 
ftnetions for miltiple state agencies." 

t "establish and enforce a state strategic information technology 
plan." 

* "establish and enforce statewide information technology policies 
and standards" 
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* "review and approve tfatc agency information technology 
plans" 

fr "review and approve slate agency specifications and 
procurement methods fori he acquisition of infomatioi 
technology resources/' 

fr "review, approve, and sign a)) state agency contracts and shall 
review and approve other fomal agreements for information 
technology resources provided by the private sector and other 
government entities/' and 

> "implement this section, and alt other laws for the use of 
information technology in siaiegoverameii" 

The language not oily establishes responsibilities for department 
action through promoting, cooixlinating, and establishing activities, 
bit also gives the department control through enforcing, approving, 
and implementing responsibilities. 

The enforce men I responsibility isstrengtheied in section 2-17-5)4. 
MCA. which states, "If the department determines that ai agency is 
not in compliance with the state strategic infomatioi technology 
plan, the agency information technology plan, ornate wide 
information technology policies and standattis, the department may 
cancel or modify any contract, project, or activity that is not in 
compliance." M1TA funheroutliiesenfofcemeni mcthodsihrough 
coordination with the budget office for IT ieqiests,and allowing the 
transfer of funds, equipment, facilities and employees from agencies 
to ensure the cost-effective use of IT resources* These responsibility 
areas are clearly outlined in state law. 



DofA Management 
Perspective 



DofA has not established itself asa management-oriented body, 
instead choosing a passive approach by offering IT management 
services to the agencies while allowing agency consensus to dictate 
direction of IT management issues. Only select sections of MIT A 
are being actively addressed, as opposed to an approach achieving 
each of the objectives and establishing the organisational 
management and control structures outlined in statute. Of the sixteen 
sections of MIT A that fell tndcrthc scope of this and it. nine are not 
being implemented and enforced to the intent outlined in state law. 
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A key issue in in plane nun ion of MIT A is the perspective 01 the 
management and Jeadciship role as it relates to MIT A. We discussed 
the intern of MIT A with the DofA - Information Technology 
Services Division (tTSD) management, and asked management 10 
provide uswith iheircnrrcni perspective on MITA. ITSD 
management has staled thai their perspective on the charges of 
MITA was to biild consensus and provide management services id 
the agencies. When compared wick ourobscrvationsof ITSD 
interaction with the agencies, their stated concept of service to the 
agencies was well established, DofA's stated perspective on MITA 
is also based on the interpretation that the Act was to minimize large 
problems or flagrant abuse of resources for IT. While this is patt of 
the intent of MITA. the Act is far more rooted in the idea of 
increasing the efficiency of IT resource utilization and reducing 
redundancy of efforts acrosstke enterprise IT of Montana. 



CIO Vacancv 



DofA is largely dependant upon the CIO position id guide statewide 
IT progress, but has fallen short in terms of documenting rules, 
policies, procedures and guidelines used by the department since the 
inception ol" MITA < and thus does not have an effective way to carry 
forward operations in case of CIO turnover A CIO vacancy existed 
for more than a year, and a vacuum of direction and decision within 
ITSD has created an environment in which the agencies perceive no 
actual management action. ITSD maintains that the goal of 
consensus building has been their strategy. Upon review of agency 
responses to our survey, the consensus building is being viewed as a 
lack of decisiveness and leadership. Ai meetings of the Information 
Technology Management Council (ITMC). we observed agency 
representatives request guidance, and instead are given responses 
that turn the question back on them by asking how they would like a 
situation handled, or how thev feel about the circumstance at hand. 



No Active Enforcement 



ITSD relies on a system of self- reporting, and stated they do not 
want to micro- manage agencies. Management commented that thev 
do not want to be monitoring and policing the agencies because they 
do not have the adequate staffing , but added that just because 
something isd II Ticili. that does not relieve them of the statutory 
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responsibility* Regarding stuffing* wc asked the DofA management 
i T c key had requeued additional resources, such as employees, id aid 
in executing ihc requirements of MIT A. They indicated that ihey 
had not* 

The department has not actively addressed issues of enforcement for 
agency non-compliance with policies, decisions, or even the slat ntcs 
established within MIT A. For example. DofA mnst review and 
approve agency IT plans as well as IT procurement rcqucststlTPRs)* 
Through MITA and DofA riles, all agency procurement must be 
based on efforts described within an approved IT plan for the 
agency. When asked how agencies without approved IT plans were 
able to procure new IT resources. the DofA staff explained that when 
ITPRsare submitted. I bey treat I be request as if their plan was 
approved* Staff also indicated that there was five agencies without 
approved IT plans. The discussion was held in May 2005 and places 
each of these plans approximately one year past thcstatiiory 
approval date, or half of I he current biennium. 



Conclusion The DofA actions relating to the intent of MITA have been limited 10 

preventative measures for extremely serious abuses of the 
procurement and use of IT resources. DofA has taken I he strategy of 
allowing agency consensus to dictate decisions as opposed to issuing 
and enforcing policy or operational rules, and have not accepted the 
responsibility to enforce and monitor the agency compliance with a 
centralized IT management. The passive approach to management 
has allowed no n- cooperation by state agencies to be a cause for 
DofA not fulfilling their statu tor) obligations. DofA hasmadesome 
progress towards MITA implementation in select areas,, but does nix 
have an established process to ensure the IT planning and overall 
requirements of MITA are addressed and implemented consistent 
with legislative intent. Documentation of rules, policy and 
procedures is minimaland inconsistent. The following chapters 
fin her discuss findings and recommendations addressing the overall 
implement at ion of MITA and areas of shortcoming 
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Chapter II • Statewide IT Management Control 



Rtewniniendalioti #1 



Wc recommend DofA com rait to and execute Ihc centralized 
management and control of IT required by the Montana 
Information Technology Act. 
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Chapter III - Implementation Plans 



Not Every Element ol 
MITA Has Been 

Addressed 



Tkc Montana Information Technology Aci (MIT A) charges (he 
Depart meal ol Administration (DofA) to appoint a Chief 1 1 formation 
Offtccr(C[0)and structurcaccntrali/cd coordination forihe Slate's 
information technology (IT). MITA states that the development of 
IT resources for the state mnst be conducted in "an organized, 
deliberate, and cosi-effeciive manner" During our wort;, ii was 
difficult 10 substantiate I hat these goats arc being met. We requested 
documentation related lothe implementation plans for addressing 
MITA. as well as policies, riles, and supporting documentation of 
how DofA is managing the organi/aiion of these goals. We expected 
to see the following areas add resscd. and evidence thai DofA and the 
agencies arc usin* them: 



1) A plan to address each element of MITA, including 
interpretations and timetables for compliance and 
implementation. 

2) Documents that define the processes of developing, as welt as 
maintaining, enterprise IT policies and other standards. 

3) A sci of policies, standards, rules, and other procedural 
documents governing how DofA and ihe agencies would become 
compliant with MITA. 

4) A complete and approved IT plan and biennial performance 
report for each agency as well as forthe overall State of Montana 
as required by statute* 

We did no* see alt the areas addressed. Implementation isdiscisscd 
in this chapter, while the three remaining areas arc disenssed in 
Chapter IV. 



Implementation Plans 



We asked DofA management forthcirovciallappmach to M1TA. 
Thcy explained ihat no organized attempi has been made to review, 
interpret, and plan forthe implementation of each clement of MITA. 
Likewise. documentation of thcirapproach does noi exist, tn 
interviews with management, their philosophy on MITA has taken 
the approach of consensus building rather than dictating or 
micromanaging the agencies. Management stated that ihey felt there 
was a range of interpnMai ions lo MITA and chose to interpret ii as 
more of an effon to work with the agencies instead of dictating 
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Chapter III - Implementation Plans 



policy toe hem* They stated thai I hey viewed I he goal of MIT A was 
to prevent the big problems, and that perhaps (he toe is needed id be 
shifted. 



Conclusion 



DofA has not made significant progress lowanJs an organized, 
deliberate, aid cost-effcciive approach to addressing each area of 
responsibility and authority provided in MITA. In selective 
instances. I hey have attempted to address areas of planning and 
procoiviieni. bn have not established ihe riles for enforcement and 
im pie me mat ion of the majority of M1TA. 



Rceuninicndalion #2 



Wc recommend DofA develop and document Implementation 
plans addressing each section of MITA. 
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DocDHentatlon Is Minimal 

and Inconsistent 



Dot" A is charged with rilcmaking; policy and standard 
establishment; and enforcement, inconjinction with the statutoiy 
requirements of MITA. tn l he foir years since MIT A was enacted. 
I " ■[ \ has made minimal progress in construction of such a 
framework. There is no doctmeiied process defining how DofA 
uses management met hods aid documents to ensi re statewide 
compliance with MIT A. including: writing policy , Mandates, 
enfoicemeni guidance; rulemaking, communication and 
dissemination of the aforementioned docimcitsiorihc approval of 
IT plans and IT procurements for (he agencies. 



Stale law states that DofA shall adopt rules to implement MIT A and 
specifies fourteen areas that air to be included as rules in the 
nlc making seciion of MIT A* DofA'sadoptcd rules related to MITA 
responsibilities number only eight and do not coverall of the areas 
outlined in the rulemaking seciion. Of the eight, two arc the 
introduction and defin it ions of terms used within that seciion of the 
Administrative Rules. It ts important to document policies and 
procedures used to implement statutes, as well as any interpretations 
or discretion of how or when a specified statue or policy would be 
applied or enforced. 

No overall approach to MITA has been established , as described in 
Chapter III of this report. This makes it difficult to measure the 
suindaitis. policies, and procedures that might be necessary to 
effectively address MITA. We did. however* review the content of 
existing policies and standanfs to determine if gaps exist between the 
statutory charges of MITA and DofA 's progress in addressing ihcm 
with documentation. Our review noted the majority of existing 
policy applies 10 the security aspect of information technology, 
which comprises one of the more than twenty sections within the 
scope of MITA. Upon review, the docimenisthemselves lack 
consistency from one policy to the text , regarding content, required 
details, and appearance. For example, only half of the policies we 
reviewed contained a clearly defined statement of purpose. 
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DofA has a template outlining four content ureas for policies, but the 
template is at a high level thai docs not describe ibe detail required it 
each content area, and not all policies conform lo the template. 
Doi A does tot have a process to ensure policies are consistent and 
clear. Funhcr. tke re arc not procedurcsto maintain and periodically 
review and update policies to ensure consistency, applicability, and 
effectiveness. While soflware- related standards have been 
established, and term contracts exist for some hanl ware, other areas 
of IT suck as procedural practices have noi been addressed. 
Standards and policies are not established in areas of practice in IT. 
suck as project management. For example, regular interaction with 
the Project Management Office could be rcqvircd throtgk a 
statewide policy. and standards coakl beset for project management 
metkodologies. 

Tke following examples illustrate the gaps in policies and standards 
and tke implementation of MIT A. These examples are in the areas 
of: 

t IT procurement 
fr agency IT plans 
► performance rcpoits 

Review and approval of agency IT resources and systems - 
section 2-17-518(1 >. MCA 

DofA's rules stale that eack agency shall si bmil a request for 
approval for all IT procurements and all IT development effons* 
DofA is not cnrrcnily collecting requests for all procurements and 
development effonsasit has delegated the authority to agencies for 
internally approving select proctrement requests. The rule wording 
is inconsistent with cirrent practice. Additionally. DofA staff and 
management informed us that ci rrentlv. agencies musi self- report 
piocirements and development efforts in order for DofA to be aware 
that they are going on. Staff fnn her explained that some agencies are 
unaware as to what constitutes a development effon.and therefore, 
do not notify DofA that tke development is occurring. As written, 
the rule is inconsistent witk cirrent DofA practices and does not 
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clearly aid accurately identify the IT resource procurement and 
development effonsthat must be approved. DofA has defined ibe 
informal ion (hat agencies arc required to provide for IT 
procurements through t heir Information Technology Procurement 
Reqiest (ITPR) form. However. DofA docs not have a form 
specified for internal IT development efforts. The luck of request 
form for internal IT development cffotiscontradicisthc implications 
presented in the rules, stating thai agencies shall submit requests for 
approval for all IT development efforts. 

Approval of ITiimMnmils- section 2-I7-523<H MCA 
DofA staff stated that although there currently are agencies I hat do 
not have an approved IT plan, they have never rejected an IT 
procircmcnt request based solely on the fact lhai the IT plan is nix 
approved. One of the reasons given for unapproved IT plans ts 
unwillingness of agencies to cooperate in expanding and clarifying 
plan content. By approving IT procurcmcnisioagcicics without 
approved plans, DofA is not effectively utilizing a statutorily defined 
enforcement mechanism that would compel agency cooperation. 

Development of agency IT Plans -section 2- 17-518 12), MCA 
DofA has defined the content requirements for agency IT plans by 
referencing the statutory section of MIT A that lays out the form and 
content of IT plans. DofA has also developed a template for 
agencies to use in developing IT plans. However the template and 
content rcquiremcnisdo not include another statutory requirement in 
Section 2-15-1 li<6). MCA that states thai each agency IT plan 
should include a general description of the agency security program 
and future plans forensuhng ihe security of data. 

Rules related to guidelines for DofA's approval decision for agency 
IT plans mention the use of "criteria*, but do not specify approval 
criteria. DofA staff in charge of reviewing agency IT plans stated 
that it is difficult to consistently review agency plans because of the 
wide range of experience in IT planning throughout the agencies. 
DofA staff also stated that the level of detail required in the plans 
was not as defined as it should be, and some agencies have much 
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more trouble thai others. Further in response to oursurvcy of 
agency information technology managcrc02 of 26 respondents 
(84 percent) replied thai ibey do not utdenjand the criteria used by 
DofA in approving the IT plans. 

Reviewing and approving agency IT plans -section 2- 1 7-51 2 if i» 
MCA 

MIT A oui lines dates by which all agencies' IT plans most be 
approved. DofA bus established a timeline fort he si bullion, 
review, and approval process. However, DofA saff stated ibai there 
are five agencies' IT plans for 2004 1 but have not beet approved, 
over a year pas the staiiiorily required approval date of Jine 30 of 
even- numbered years to coincide with ibe budget process. 
Additional!) . DofA staff sated that all currently approved agencies* 
IT plaisare prated on the Informal ioi Technology Services Divisioi 
webpagc. However, upoi review of the webpage,only 20 of the 34 
agency plans posted were the current 2004 FT plans, which indicates 
I he ntmbcr might be greater li omsmn. 13 of 26 responses 
(50 percent) indicate agency IT plans bad beei approved by the 
required dales in each of ibe las two biennial cycles. 

Agency biennial performance reports - section 2-1 7-524(3 j» MCA 
DofA conducts a biennial survey to collect information from each 
agency used in creating the statewide bicmial repoit. Some of the 
statistical st tvey responses displayed in the sate wide biennial repon 
for fiscal years 2004 and 2005 showed a significant amount of non- 
responses to ibe survey, DofA docs not require additional bicmial 
performance rcpons from agencies that evaluate progress toward 
individual a»cicy IT plans, as required by statuic 



Conclusion DofA cannot ensure consistent and continued application of policy, 

procedures, ciforccmcnt, or coordination of resounres without an 
established and documented process of utilizing the management 
methods available toibcm During meetings, department 
management acknowledged that they lack an overall framework for 
building rules, policies, standanls, and other documentation for 
addressing MITA. 
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Lack of Coordination with 
the Budget Office 







Recommendation #3 




Wc recommend DofA: 




A* Establish and document the process of islng policies to 




ensu re DofA and state agencies com ply with the Montana 




Information Technology Act. 




B. Establish and document procedures to maintain enterprise 




IT policies and standards. 









The Montana Information Technology Act (MIT A) Mules the 
department shall "coordinate wiih I he office of budget and program 
planning to evaluate budget requests thai include information 
technology resources." Further, section 2-17-523(3). MCA slates 
"New in vest si cms In information technology can be included in (he 
governors budget only if ihe pioject ts contained in the approved 
agency information technology plan/' The current coordination 
between DofA and the Office of Budget and Program Planning 
( OB PP) contains several inconsistencies with what MIT A requires. 



The interaction between OBPP and DofA is typically initiated by 
OB PP. OBPP specifies agencies must substantiate i he need for new 
budget requests for projects costing at least £300.000 over a 
biennium. DofA alsoadoptsthisthrcshold in itsdcfiniiion of new 
projects or initiatives thai must be included in agency IT plans. 
OBPP only evaluates new budget requests (tew money) related 10 IT 
expenditures* The "new" investments defined in MIT A do not 
equate only 10 new budget requests, because new investments in IT 
can be made within existing budgets for underthe $300,000 
threshold without being contained in an approved lechnology plan as 
required by law. The current process initiated by OBPP wilt not 
deteel this situation or reduce unnecessary IT spending. 



An agency without an approved IT plan, by law should not be 
permitted to make any "new" investments in IT. However, if an 
agency does not request new funding . OBPP would not question the 
IT requests in their base budget. When asked whethcrOBPP was 
informed of the IT plans I hat were not approved, as discussed in 
Chapter 111. OBPP management stated that I he office did not recall 
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whcthcrthcy were informed of (he existence of unapproved agency 
IT plans, bui did not know for sure. 



Conclusion 



Close Interaction between DofA and OBPP is essential (o ensuring 
agency compliance with statutory requirements and statewide 
policies and standards. By ensiling now investments are oily 
approved foragcnciesihat comply with statutes, policies, and 
standards, agencies will be compelled to cooperate it the} want IT 
operations funded. By not conducting the IT planting and budget 
approval pioccsscs in conjunction, or consistent with siaiutc.ihc 
state is missing oil on a key enforcement mechanism. 



Rceimiiiicndalii'ii #4 



We recommend DofA coordinate with the Office of Budget and 
Program Planning to enforce the stain lory requirement thai 
new IT investments be Included in the governor's budget only 
If the project is included In the approved agency information 
technology plan. 
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DEPARTMENT OF ADMINISTRATION 
DIRECTOR'S OFFJCF 



WWKHW.nffl.r.OVBW, MTCHUllimOMG 



STATE OF MON TANA- 



Wflwra hm** a, Montana mtAAn 



October 18,2005 



David Now^cki RECEIVED 

OCT 1 8 2005 



Senior Information Systems Auditor 



Legislative Audit Division 

PO Box 201 70S LEGISLATIVE AUDIT DW, 

Helena. MT 59620-1705 

Dear Mr Nowacki: 

We have reviewed the October 2005 Enterprise IT Management audit report ai»d the 
recommendations confarned therein. Our response to the recommeirdathns appears below: 

Kccpmmeiidiihfln HI 

We recommend DofA commit to and execute the centralized management and control of IT 
required by the Montana Information Technology Act. 

Res pon se 

We concur The department will carry out its statutory responsibilities of the Montana 
Information Technology Act (MIT A ) by taking a strong leadership role in the management 
and control of IT. The department remains committed to considering agency 
recommendations regarding information technology while retaining decision-making 
authority. 

?e jidiiijon P2 

Wc recommend DofA develop ana document implementation plans addressing each section 
ofMITA, 

KcMp anse. 

We concur The department will develop an implementation plan that will address all of its 
statutory responsibilities o(MITA t section by section. 
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Recommendation #3 

Wc recommend t)of A: 

A Establish and document the process of using policies to ensure DofA and state agencies 
comply with the Montana Information Technology Act* 

B. Establish and document procedures to maintain enterprise IT policies and stewards. 

Resp onse; 

A. Wc concur. The department will provides clear direction and guidance to all state agencies 
to ensure MITA compliance through the use of ARM, policies, procedures, standards, and 
sanctions resulting from non-compliance. 

B. Wc concur. The department will; 

* review existing procedures for establishing and maintaining policies and standards to 
ensure they reflect the intent of MITA, and provide guidance for uniformity and 
consistency* 

■ review existing ARM, policies, and standards for consistency and MITA compliance; 

■ identify areas that are not currently or adequately addressed by existing ARM. 
policies and standards; and establish appropriate ARM. policies, procedures or 
standards. 

Recommendation »4 

Wc recommend DofA coordinate with the Office of Budget and Program Planning to enforce 
the statutory requirement that new* IT investments be included in the governor's budget only if 
the project is included in the approved agency information technology plan. 

Response: 

Wc concur. The DofA will work with the Office of Budget and Program Planning (OBPP) to 
develop the necessary policies and procedures to enforce the statutory provision? of MITA. 
Specifically, wc will: 

A. Develop a policy that defines a mfljor new IT investment. 

B. Develop a process to review major new IT investments that are contained in an agency's 
existing budget or its new budget proposal 

C Develop a process to ensure major new IT investments arc included in an agency's original 
or amended IT Plan, whether the new IT investment is contained in the agency's existing 
budget or its new budget proposal 
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Wc recognize Ihc magnitude of the challenges associated with implementing these 
recommendations; but, wc arc committed to implementing the MITA in a manner consistent 
with the audit recommendations. 



Thank you and your staff for conducting the audit in a professional manner 
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